Attackers first used Go to create malware in 2012, but it just hasn’t gained any traction over the years.

Once it infects a system, the Linux malware collects information on the infected machine, including the operating system, CPUs and processes, the researchers said in a post.

The harvested data goes back to a command and control (C&C) server, which provides a configuration file for downloading a cryptocurrency mining application.

The sample analyzed by Dr.Web delivered an application designed for Monero (XMR) mining. Monero is an open source cryptocurrency currently valued at $2 per unit, but unlike Bitcoin, it can still end up mined using personal computers.

Researchers also said Linux.Lady.1 is capable of spreading to other Linux computers on the infected network. It does this by attempting to connect to remote hosts over port 6379 without a password. Researchers said the attackers are hoping there was a poor configuration of the host.

If the connection is successful, Linux.Lady.1 downloads a script from a specified URL and adds it to the Cron scheduler of the infected device. This script, detected by Dr.Web as Linux.DownLoader.196, is responsible for downloading and installing a copy of the Linux Trojan on the compromised device.